IPFS based DOS attack: `cat` should stop buffering after a certin threshold has been broken

[sophiii]

Actual behavior: Right now if the dapp requests a IPFS file that is 1000 GB it will start downloading it and keep going until the dapp crashes

Expected behavior: IPFS should only allow downloading files less than 5 MB. It should fail once 5MB is breached.

Steps to reproduce the problem: In file https://github.com/swarmcity/sc-boardwalk/blob/master/src/sc-ipfs/sc-ipfs.html you can see that cat keeps downloading until then. To reproduce you will need to find the IPFS hash that is really big.

Create a Hashtag with but instead of passing _metadataHash you pass an IPFS hash. Then get the dapp to load that Hashtag.

Outcome: This will crash the dapp and when ever people try and load this hashtag. I am unsure about the severity here but its something we need to be careful about.

[bkawk]

How would the dapp request a massive IPFS file, where can the user enter this IPFS hash?

[ghost]

Probably when restoring an ipfs backup? Or, since the dapp is client side, manually requesting it from the ipfs gateway

[bkawk]

Can we can use iron-ajax to make a get request to /api/v0/file/ls?arg={{ipfs-path}} to get the file size before making a request for the file?

[sophiii]

Or someone can upload a mp4 movie as a profile picture. I am not sure about fix.

In https://github.com/swarmcity/sc-boardwalk/blob/master/src/sc-ipfs/sc-ipfs.html we could could how many buffers we have read in cat hopefully ipfs has a way to check file size before download.

[bkawk]

Have you tried to upload an mp4 as a profile pic? if it causes an issue maybe a new issue is best

[sophiii]

I agree. But a malicious actor could bypass the user interface checking and upload a large file as their profile picture. This can then crash the dapp.